New Simple DNSCrypt install doesn't work
Hi
I was a happy (albeit possibly in ignorance) user of the old DNSCrypt windows client (0.0.6) but had a recent problem with failed resolutions and it seemed that it was no longer maintained, so thought I would try out Simple DNSCrypt (0.4.3).
But I just can't get it to work. There is no documentation (blank wiki on github) that I can see and the interface is confusing. I eventually managed to enable the Live Log once I'd worked out that it needed a log file location specifying first, but no log entries ever appear.
On the Standard Settings page there are some mystery Services for Primary and Secondary DNSCrypt Service, but I've no idea what these are. Enabling them makes no difference either.
http://welcome.opendns.com/ says that I am not using OpenDNS so there is obviously something fundamentally wrong.
The old WinDNS Crypt client was so much simpler and obvious to use with traffic light status lights etc., so it's shame the new client has regressed in this regard.
Any ideas?
-
See also https://support.opendns.com/hc/en-us/community/posts/115000490467
Else visit the github site to contact the authors of the tool. Or post screen shots of what you need help with.
-
Thanks for the info.
I eventually realised that one has to click the relevant network card icon so that it is ticked to enable the resolver for that interface. Then the live log started to fill up.
However https://welcome.opendns.com still isn't working and http://www.internetbadguys.com/ results in "We can’t connect to the server at c2eda10f06e25047de09e7e0c7ca551f2456.d0452297.id.opendns.com."
Some output from the cmds listed:
[code]
>nslookup -type=txt debug.opendns.com
Server: localhost
Address: 127.0.0.1
*** localhost can't find debug.opendns.com: Non-existent domain
>nslookup -type=txt which.opendns.com. 208.67.220.220
Server: resolver2.opendns.com
Address: 208.67.220.220
Non-authoritative answer:
which.opendns.com text =
"m25.lon"
>nslookup whoami.akamai.net.
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
Name: whoami.akamai.net
Address: 74.125.73.89
>netsh interface ipv4 show config
Configuration for interface "Ethernet 4"
DHCP enabled: Yes
IP Address: 169.254.219.104
Subnet Prefix: 169.254.0.0/16 (mask 255.255.0.0)
InterfaceMetric: 25
DNS servers configured through DHCP: None
Register with which suffix: Primary only
WINS servers configured through DHCP: None
Configuration for interface "Ethernet 5"
DHCP enabled: Yes
IP Address: 169.254.67.211
Subnet Prefix: 169.254.0.0/16 (mask 255.255.0.0)
InterfaceMetric: 25
DNS servers configured through DHCP: None
Register with which suffix: Primary only
WINS servers configured through DHCP: None
Configuration for interface "Ethernet 7"
DHCP enabled: Yes
IP Address: 192.168.0.208
Subnet Prefix: 192.168.0.0/24 (mask 255.255.255.0)
Default Gateway: 192.168.0.254
Gateway Metric: 0
InterfaceMetric: 25
Statically Configured DNS Servers: 127.0.0.1
127.0.0.2
Register with which suffix: Primary only
WINS servers configured through DHCP: None
Configuration for interface "Ethernet 2"
DHCP enabled: No
IP Address: 169.254.123.14
Subnet Prefix: 169.254.0.0/16 (mask 255.255.0.0)
InterfaceMetric: 55
Statically Configured DNS Servers: None
Register with which suffix: Primary only
Statically Configured WINS Servers: None
Configuration for interface "Loopback Pseudo-Interface 1"
DHCP enabled: No
IP Address: 127.0.0.1
Subnet Prefix: 127.0.0.0/8 (mask 255.0.0.0)
InterfaceMetric: 75
Statically Configured DNS Servers: None
Register with which suffix: Primary only
Statically Configured WINS Servers: None[\code]
-
"*** localhost can't find debug.opendns.com: Non-existent domain"
This indicates that the DNSCrypt proxy doesn't forward your DNS queries to OpenDNS, but to another DNS service (74.125.73.89 = Google). I believe you have to select something with "Cisco" from the drop-down list for "the first resolver", and do not select something for "the second resolver (optional)". You may also need to disable the "Secondary DNSCrypt Service".
After you did these changes, the following from your interface "Ethernet 7" may have changed
fromStatically Configured DNS Servers: 127.0.0.1
127.0.0.2to
Statically Configured DNS Servers: 127.0.0.1 (i.e. just one DNS server entry)
Then try to verify again with:
nslookup -type=txt debug.opendns.com.
One of the TXT records should show that you have DNSCrypt enabled. The other TXT records should present the usual values from OpenDNS like server (e.g. m25) and data center location (lon = London in your case), OpenDNS network ID, account type, bundle ID, DNS flags, source IP address and port, and more.
-
I changed the Primary Resolver to Cisco OpenDNS and the OpenDNS test site now works! :-)
However DNSSEC now shows a cross so I guess it is not encrypted. :-(
Some testing shows that only the DNSCrypt.* resolvers support DNSSEC.
The old DNSCrypt windows client running on another machine works fine with the test site.
> nslookup -type=txt debug.opendns.com
1.0.0.127.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invalid
serial = 1
refresh = 600 (10 mins)
retry = 1200 (20 mins)
expire = 604800 (7 days)
default TTL = 10800 (3 hours)
(root) ??? unknown type 41 ???
Server: UnKnown
Address: 127.0.0.1
Non-authoritative answer:
debug.opendns.com text =
"server m25.lon"
debug.opendns.com text =
"flags 20 0 50 3950000000000000000"
debug.opendns.com text =
"originid 9876339"
debug.opendns.com text =
"actype 2"
debug.opendns.com text =
"bundle 3660515"
debug.opendns.com text =
"source 86.141.242.39:52452"
debug.opendns.com text =
"dnscrypt enabled (713156774457306E)"
(root) ??? unknown type 41 ???>netsh interface ipv4 show config
[snip]
Configuration for interface "Ethernet 7"
DHCP enabled: Yes
IP Address: 192.168.0.208
Subnet Prefix: 192.168.0.0/24 (mask 255.255.255.0)
Default Gateway: 192.168.0.254
Gateway Metric: 0
InterfaceMetric: 25
Statically Configured DNS Servers: 127.0.0.1
127.0.0.2
Register with which suffix: Primary only
WINS servers configured through DHCP: NoneI had disabled the secondary DNSCrypt Service but I guess the above shows it is still active.
-
"However DNSSEC now shows a cross so I guess it is not encrypted. :-("
DNSCrypt and DNSSEC are two different things. Cisco/OpenDNS generally do not support DNSSEC, so that's ok.
See https://support.opendns.com/hc/en-us/search?utf8=%E2%9C%93&query=DNSSECThe nslookup output looks as expected now.
"I had disabled the secondary DNSCrypt Service but I guess the above shows it is still active."
You can check if this second resolver 127.0.0.2 is still valid:
nslookup -type=txt debug.opendns.com. 127.0.0.2
If it does not respond or does not use OpenDNS, you can manually remove it from your "Ethernet 7" interface.
-
RE: DNSSec =/= DNS Crypt, yes of course. Doh!
I managed to get the secondary DNSCrypt service resolver removed by clicking the relevant Network Card to disable it and then clicking it again. A GUI mgmt to proxy service interaction limitation I guess.
But after jumping (guided) through some hoops I think we're there now! Thanks again. :-)
Please sign in to leave a comment.
Comments
6 comments